-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ Caldera International, Inc. Security Advisory Subject: Linux: REVISED: buffer overflow in multiple DNS resolver libraries Advisory number: CSSA-2002-034.1 Issue date: 2002 August 07 Cross reference: ______________________________________________________________________________ 1. Problem Description From CERT CA-2002-19: A buffer overflow vulnerability exists in multiple implementations of DNS resolver libraries. Operating systems and applications that utilize vulnerable DNS resolver libraries may be affected. A remote attacker who is able to send malicious DNS responses could potentially exploit this vulnerability to execute arbitrary code or cause a denial of service on a vulnerable system. The packages in this updated advisory (CSSA-2002-034.1) fix an installation problem with the glibc rpms. 2. Vulnerable Supported Versions System Package ---------------------------------------------------------------------- OpenLinux 3.1.1 Server prior to bind-8.3.3-1.i386.rpm prior to bind-doc-8.3.3-1.i386.rpm prior to bind-utils-8.3.3-1.i386.rpm prior to glibc-2.2.4-24.i386.rpm prior to glibc-devel-2.2.4-24.i386.rpm prior to glibc-devel-static-2.2.4-24.i386.rpm prior to glibc-localedata-2.2.4-24.i386.rpm prior to nscd-2.2.4-24.i386.rpm OpenLinux 3.1.1 Workstation prior to bind-8.3.3-1.i386.rpm prior to bind-doc-8.3.3-1.i386.rpm prior to bind-utils-8.3.3-1.i386.rpm prior to glibc-2.2.4-24.i386.rpm prior to glibc-devel-2.2.4-24.i386.rpm prior to glibc-devel-static-2.2.4-24.i386.rpm prior to glibc-localedata-2.2.4-24.i386.rpm prior to nscd-2.2.4-24.i386.rpm OpenLinux 3.1 Server prior to bind-8.3.3-1.i386.rpm prior to bind-doc-8.3.3-1.i386.rpm prior to bind-utils-8.3.3-1.i386.rpm prior to glibc-2.2.4-24.i386.rpm prior to glibc-devel-2.2.4-24.i386.rpm prior to glibc-devel-static-2.2.4-24.i386.rpm prior to glibc-localedata-2.2.4-24.i386.rpm prior to nscd-2.2.4-24.i386.rpm OpenLinux 3.1 Workstation prior to bind-8.3.3-1.i386.rpm prior to bind-doc-8.3.3-1.i386.rpm prior to bind-utils-8.3.3-1.i386.rpm prior to glibc-2.2.4-24.i386.rpm prior to glibc-devel-2.2.4-24.i386.rpm prior to glibc-devel-static-2.2.4-24.i386.rpm prior to glibc-localedata-2.2.4-24.i386.rpm prior to nscd-2.2.4-24.i386.rpm 3. Solution The proper solution is to install the latest packages. Many customers find it easier to use the Caldera System Updater, called cupdate (or kcupdate under the KDE environment), to update these packages rather than downloading and installing them by hand. 4. OpenLinux 3.1.1 Server 4.1 Package Location ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2002-034.1/RPMS 4.2 Packages 1279baf77d5006e440ffb69dedc9058e bind-8.3.3-1.i386.rpm f45379215465d757b312710f560cde7e bind-doc-8.3.3-1.i386.rpm 5bbb083ffb71895a962c33a8066a6e59 bind-utils-8.3.3-1.i386.rpm f9584ddab0188668ecd9d214a303ef63 glibc-2.2.4-24.i386.rpm 1ebc6edd49450bcf100e74b8500b31ee glibc-devel-2.2.4-24.i386.rpm 6444fd7fe6dd762cdfe79adbce7cb312 glibc-devel-static-2.2.4-24.i386.rpm bd58b7371605a8730fbc2e2566661657 glibc-localedata-2.2.4-24.i386.rpm 41d6ac854a470941bc9b96ad40c3d80c nscd-2.2.4-24.i386.rpm 4.3 Installation rpm -Fvh bind-8.3.3-1.i386.rpm rpm -Fvh bind-doc-8.3.3-1.i386.rpm rpm -Fvh bind-utils-8.3.3-1.i386.rpm rpm -Fvh glibc-2.2.4-24.i386.rpm rpm -Fvh glibc-devel-2.2.4-24.i386.rpm rpm -Fvh glibc-devel-static-2.2.4-24.i386.rpm rpm -Fvh glibc-localedata-2.2.4-24.i386.rpm rpm -Fvh nscd-2.2.4-24.i386.rpm 4.4 Source Package Location ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2002-034.1/SRPMS 4.5 Source Packages ea73e9ea65f4a9c4928f5fffd068d4a2 bind-8.3.3-1.src.rpm cb60d1be4fdda80c27573bd9ece9b158 glibc-2.2.4-24.src.rpm 5. OpenLinux 3.1.1 Workstation 5.1 Package Location ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2002-034.1/RPMS 5.2 Packages 375e7f9de0962ac8412c3a73390851ee bind-8.3.3-1.i386.rpm 43eee0471a6b7878ac674376156dc0cc bind-doc-8.3.3-1.i386.rpm 91da549217af4f260a53b75285dfb6bd bind-utils-8.3.3-1.i386.rpm d13d0853f7a9301343e5633e59dfd757 glibc-2.2.4-24.i386.rpm 577579894f45fb637f8d5fa82fda58f8 glibc-devel-2.2.4-24.i386.rpm 66a5d5c5ca520560a95241e1798f83bb glibc-devel-static-2.2.4-24.i386.rpm ed66a42ee3efc7688e556ff7d4258d5b glibc-localedata-2.2.4-24.i386.rpm 2a0c9e7d8c77fd1caeca180eb56850f7 nscd-2.2.4-24.i386.rpm 5.3 Installation rpm -Fvh bind-8.3.3-1.i386.rpm rpm -Fvh bind-doc-8.3.3-1.i386.rpm rpm -Fvh bind-utils-8.3.3-1.i386.rpm rpm -Fvh glibc-2.2.4-24.i386.rpm rpm -Fvh glibc-devel-2.2.4-24.i386.rpm rpm -Fvh glibc-devel-static-2.2.4-24.i386.rpm rpm -Fvh glibc-localedata-2.2.4-24.i386.rpm rpm -Fvh nscd-2.2.4-24.i386.rpm 5.4 Source Package Location ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2002-034.1/SRPMS 5.5 Source Packages 99e8f0fa8d7a03d563db6d8d34fa30c1 bind-8.3.3-1.src.rpm 2152613b7c8fced1081a8155f72ff3bf glibc-2.2.4-24.src.rpm 6. OpenLinux 3.1 Server 6.1 Package Location ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/CSSA-2002-034.1/RPMS 6.2 Packages 5ecff2862a1ddd97319c62b9049788fc bind-8.3.3-1.i386.rpm 2643f256095fc5fcb23503dd42eaea66 bind-doc-8.3.3-1.i386.rpm 6a443f0eb1aaf0554bcfbc2f2fa70d7f bind-utils-8.3.3-1.i386.rpm e3169c6eb573efa0dadaf20398139649 glibc-2.2.4-24.i386.rpm 99b6d865e57dad0a02e4b044f6cc432d glibc-devel-2.2.4-24.i386.rpm ce75f09d371726a71a7e47b1dc238955 glibc-devel-static-2.2.4-24.i386.rpm 730cda7ed0943f72ef638e774f804748 glibc-localedata-2.2.4-24.i386.rpm 4c18a1fb6668ed2108445f02f6a91ba3 nscd-2.2.4-24.i386.rpm 6.3 Installation rpm -Fvh bind-8.3.3-1.i386.rpm rpm -Fvh bind-doc-8.3.3-1.i386.rpm rpm -Fvh bind-utils-8.3.3-1.i386.rpm rpm -Fvh glibc-2.2.4-24.i386.rpm rpm -Fvh glibc-devel-2.2.4-24.i386.rpm rpm -Fvh glibc-devel-static-2.2.4-24.i386.rpm rpm -Fvh glibc-localedata-2.2.4-24.i386.rpm rpm -Fvh nscd-2.2.4-24.i386.rpm 6.4 Source Package Location ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/CSSA-2002-034.1/SRPMS 6.5 Source Packages 85151e55276c5e060d280e0ad2308592 bind-8.3.3-1.src.rpm 3c03dfaf0699cb383765de90db63c5d8 glibc-2.2.4-24.src.rpm 7. OpenLinux 3.1 Workstation 7.1 Package Location ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2002-034.1/RPMS 7.2 Packages a5cb00d82cc07c7f17f5a7d8c3a53af0 bind-8.3.3-1.i386.rpm eacfbda31e4e5931b420a53c351137cb bind-doc-8.3.3-1.i386.rpm 72d66fba400ff2eccb15bb0627af8d69 bind-utils-8.3.3-1.i386.rpm 56539b28f36c6ae4f629dbf06bed92d3 glibc-2.2.4-24.i386.rpm f7de1ca0d9a16bc1cf16c30e4da0f0be glibc-devel-2.2.4-24.i386.rpm 0e2d6936f7f471361b954d488160420f glibc-devel-static-2.2.4-24.i386.rpm 3ec559d616917c6c52cab45791120cc7 glibc-localedata-2.2.4-24.i386.rpm 119aa2e2e11593a83fb09039e1da34d1 nscd-2.2.4-24.i386.rpm 7.3 Installation rpm -Fvh bind-8.3.3-1.i386.rpm rpm -Fvh bind-doc-8.3.3-1.i386.rpm rpm -Fvh bind-utils-8.3.3-1.i386.rpm rpm -Fvh glibc-2.2.4-24.i386.rpm rpm -Fvh glibc-devel-2.2.4-24.i386.rpm rpm -Fvh glibc-devel-static-2.2.4-24.i386.rpm rpm -Fvh glibc-localedata-2.2.4-24.i386.rpm rpm -Fvh nscd-2.2.4-24.i386.rpm 7.4 Source Package Location ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2002-034.1/SRPMS 7.5 Source Packages 201a4e32d0cd8ddf272feefc0879e060 bind-8.3.3-1.src.rpm 8b044928b118a84b4720b6ecdee804d4 glibc-2.2.4-24.src.rpm 8. References Specific references for this advisory: http://www.cert.org/advisories/CA-2002-19.html http://www.kb.cert.org/vuls/id/803539 http://www.kb.cert.org/vuls/id/542971 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0651 http://www.isc.org/products/BIND/bind-security.html Caldera security resources: http://www.caldera.com/support/security/index.html This security fix closes Caldera incidents sr866552, fz521492, erg501623. 9. Disclaimer Caldera International, Inc. is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of Caldera products. 10. Acknowledgements Caldera wishes to thank the CERT Coordination Center, Joost Pol of PINE-CERT, the FreeBSD Project, and the NetBSD Project for information used in this document. ______________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iEYEARECAAYFAj1RrgwACgkQbluZssSXDTE9kACfQ5004ByTMYHtzSDNml6jn0Lu FdgAoKR1bYDjr2ZAWhvZ2/dLWfm+JUR9 =4YQr -----END PGP SIGNATURE-----